By NewsBlogger A new variant of StopCrypt ransomware, known as STOP Djvu, targets consumers through malvertising and shady sites, with researchers expressing concern over its stealthy evolution, while Blind Eagle threat actor expands targeting footprint with phishing emails delivering Remote Access Trojans like Remcos RAT and NjRAT, and cybersecurity researchers discover GitHub repositories offering cracked software used to deliver RisePro and Snake Keylogger as a popular stealer malware for data exfiltration.
At a glance
- A new variant of StopCrypt ransomware, also known as STOP Djvu, targets consumers for smaller ransom payments.
- StopCrypt ransomware is distributed through malvertising and shady sites disguised as free software, game cheats, and software cracks.
- StopCrypt uses a multi-stage execution process involving shellcodes to evade security tools.
- Blind Eagle threat actor has been using Ande Loader to deliver Remote Access Trojans (RATs) like Remcos RAT and NjRAT through phishing emails targeting Spanish-speaking users in the North American manufacturing industry.
- RisePro is distributed using the pay-per-install malware downloader PrivateLoader, which is designed to gather sensitive information and exfiltrate it into Telegram channels.
The details
A new variant of StopCrypt ransomware, also known as STOP Djvu, has been discovered in the wild.
This variant of StopCrypt ransomware targets consumers rather than businesses, with the aim of obtaining smaller ransom payments.
The ransomware is distributed through malvertising and shady sites disguised as free software, game cheats, and software cracks.
Infected users often seek help from security researchers and ransomware experts.
The ransomware encryptor has not changed much since its original release in 2018.
SonicWall’s threat research team uncovered the new variant of the STOP ransomware, now called StopCrypt.
StopCrypt uses a multi-stage execution process involving shellcodes to evade security tools.
The malware loads a DLL file as a diversion and implements time-delaying loops to bypass security measures.
API calls are used to allocate memory space for read/write and execution permissions.
StopCrypt takes snapshots of running processes to understand its operating environment.
Process hollowing is used to hijack legitimate processes and inject the ransomware payload for discreet execution.
A series of actions are taken to secure persistence for the ransomware, modify access control lists, and create a scheduled task for payload execution.
Encrypted files have a “.msjd” extension added to their names.
A ransom note named “_readme.txt” is created in every impacted folder with instructions for paying the ransom.
The evolution of StopCrypt into a more stealthy and powerful threat highlights a concerning trend in cybercrime.
Researchers have expressed concern that the analyzed sample may be for an older version of the ransomware.
In a separate incident, the Blind Eagle threat actor has been using Ande Loader to deliver Remote Access Trojans (RATs) like Remcos RAT and NjRAT. Phishing emails targeting Spanish-speaking users in the manufacturing industry in North America have been observed.
Blind Eagle has a history of cyber attacks in Colombia and Ecuador using various RATs.
The threat actor is expanding its targeting footprint with phishing emails containing RAR and BZ2 archives.
RAR archives contain a VBScript file for persistence and launching Ande Loader for Remcos RAT, while BZ2 archives are distributed via Discord CDN links for the NjRAT payload.
Crypters by Roda and Pjoao1578 are used by Blind Eagle for obfuscation.
SonicWall details DBatLoader malware using RogueKiller AntiMalware driver to deliver Remcos RAT. Malware is often received in email attachments with multiple layers of encryption data.
Furthermore, cybersecurity researchers have discovered GitHub repositories offering cracked software used to deliver RisePro.
The campaign named “gitgub” involved 17 repositories from 11 different accounts, which a Microsoft-owned subsidiary took down.
The repositories featured a README.md file promising free cracked software, with green and red circles added to display status and legitimacy.
RAR archive files in the repositories contained an installer file requiring a password from the README.md.
The installer file unpacked the next-stage payload, injecting RisePro into AppLaunch.exe or RegAsm.exe.
RisePro is distributed using the pay-per-install malware downloader PrivateLoader, which is designed to gather sensitive information and exfiltrate it into Telegram channels.
Snake Keylogger is described as a stealer malware that uses FTP, SMTP, and Telegram for data exfiltration.
Stealer malware, like Snake Keylogger, is becoming increasingly popular as a primary vector for ransomware and data breaches.
RedLine, Vidar, and Raccoon have been identified as widely-used stealers.
Information-stealing malware is constantly evolving and adapting to threats, often used for financial gain.
Article X-ray
Sources
Here are all the sources used to create this article:
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| bleepingcomputer.com |
|---|
| – A new variant of StopCrypt ransomware, also known as STOP Djvu, has been discovered in the wild – StopCrypt ransomware targets consumers rather than businesses, aiming for smaller ransom payments – The ransomware is distributed through malvertising and shady sites disguised as free software, game cheats, and software cracks – Infected users often seek help from security researchers and ransomware experts – The ransomware encryptor has not changed much since its original release in 2018 – SonicWall’s threat research team uncovered the new variant of the STOP ransomware, now called StopCrypt – StopCrypt uses a multi-stage execution process involving shellcodes to evade security tools – The malware loads a DLL file as a diversion and implements time-delaying loops to bypass security measures – API calls are used to allocate memory space for read/write and execution permissions – StopCrypt takes snapshots of running processes to understand its operating environment – Process hollowing is used to hijack legitimate processes and inject the ransomware payload for discreet execution – A series of actions are taken to secure persistence for the ransomware, modify access control lists, and create a scheduled task for payload execution – Encrypted files have a “.msjd” extension added to their names – A ransom note named “_readme.txt” is created in every impacted folder with instructions for paying the ransom – The evolution of StopCrypt into a more stealthy and powerful threat highlights a concerning trend in cybercrime – Researchers have expressed concern that the analyzed sample may be for an older version of the ransomware |
| thehackernews.com |
|---|
| – Blind Eagle threat actor uses Ande Loader to deliver RATs like Remcos RAT and NjRAT – Phishing emails targeting Spanish-speaking users in the manufacturing industry in North America – Blind Eagle has a history of cyber attacks in Colombia and Ecuador using various RATs – Threat actor expanding targeting footprint with phishing emails containing RAR and BZ2 archives – RAR archives contain VBScript file for persistence and launching Ande Loader for Remcos RAT – BZ2 archives distributed via Discord CDN link for NjRAT payload – Crypters by Roda and Pjoao1578 used by Blind Eagle for obfuscation – SonicWall details DBatLoader malware using RogueKiller AntiMalware driver to deliver Remcos RAT – Malware received in email attachment with multiple layers of encryption data |
| thehackernews.com |
|---|
| – Cybersecurity researchers discovered GitHub repositories offering cracked software used to deliver RisePro – The campaign named gitgub involved 17 repositories from 11 different accounts, taken down by a Microsoft-owned subsidiary – Repositories featured README.md file promising free cracked software – Green and red circles added to README.md file to display status and legitimacy – RAR archive file in repositories contained an installer file requiring a password from README.md – Installer file unpacked next-stage payload, injecting RisePro into AppLaunch.exe or RegAsm.exe – RisePro distributed using pay-per-install malware downloader PrivateLoader – RisePro is designed to gather sensitive information and exfiltrate to Telegram channels – Snake Keylogger described as stealer malware using FTP, SMTP, and Telegram for data exfiltration – Stealer malware is increasingly popular as the primary vector for ransomware and data breaches – RedLine, Vidar, and Raccoon identified as widely-used stealers – Information-stealing malware constantly evolving and adapting to threats, often used for financial gain. |
